To: 


Of: 


ICO. 


Information Commissioner's Office 


DATA PROTECTION ACT 1998 


SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 


MONETARY PENALTY NOTICE 


American Express Services Europe Limited 


Belgrave House, 76 Buckingham Palace Road, London, SW1W 9AX 


The Information Commissioner (“Commissioner”) has decided to 
issue American Express Services Europe Limited (“AMEX”) with a 
monetary penalty under section 55A of the Data Protection Act 1998 
(“DPA”).1 The penalty is in relation to a serious contravention of 
Regulation 22 of the Privacy and Electronic Communications (EC 
Directive) Regulations 2003 (“PECR”). 


This notice explains the Commissioner's decision. 


Legal framework 


AMEX, whose registered office is given above (Companies House 
Registration Number: 01833139) is the organisation stated in this 
notice to have transmitted or instigated the transmission of unsolicited 
communications by means of electronic mail to individual subscribers 


for the purposes of direct marketing contrary to Regulation 22 of PECR. 


1 The provisions of the Data Protection Act 1998 remain in force for the purposes of 
PECR notwithstanding the introduction of the Data Protection Act 2018 (see 
paragraph 58(1) of Part 9, Schedule 20 of the 2018 Act). 
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Regulation 22 of PECR states: 


“(1) This regulation applies to the transmission of unsolicited 


communications by means of electronic mail to individual subscribers. 


(2) Except in the circumstances referred to in paragraph (3), a 
person shall neither transmit, nor instigate the transmission of, 
unsolicited communications for the purposes of direct marketing by 
means of electronic mail unless the recipient of the electronic mail has 
previously notified the sender that he consents for the time being to 
such communications being sent by, or at the instigation of, the 


sender. 


(3) A person may send or instigate the sending of electronic mail for 
the purposes of direct marketing where— 


(a) that person has obtained the contact details of the recipient of 
that electronic mail in the course of the sale or negotiations for the 


sale of a product or service to that recipient; 


(b) the direct marketing is in respect of that person’s similar products 


and services only; and 


(c) the recipient has been given a simple means of refusing (free of 
charge except for the costs of the transmission of the refusal) the use 
of his contact details for the purposes of such direct marketing, at the 
time that the details were initially collected, and, where he did not 
initially refuse the use of the details, at the time of each subsequent 


communication. 
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(4) A subscriber shall not permit his line to be used in contravention 


of paragraph (2).” 


5; Section 122(5) of the Data Protection Act 2018 (“DPA 2018”) defines 
direct marketing as “the communication (by whatever means) of 
advertising or marketing material which is directed to particular 
individuals”. This definition also applies for the purposes of PECR (see 
DPA 2018 Schedule 19, paragraphs 430 and 432(6)). 


6. Consent is defined in Article 4(11) the General Data Protection 
Regulation 2016/679 (“GDPR”) as “any freely given, specific, informed 
and unambiguous indication of the data subject’s wishes by which he 
or she, by a statement or by a clear affirmative action, signifies 


agreement to the processing of personal data relating to him or her”. 
Ts Article 7(4) of the GDPR provides: 


“When assessing whether consent is freely given, utmost account 
shall be taken of whether... the performance of a contract, including 
the provision of a service, is conditional on consent to the processing 
of personal data that is not necessary for the performance of that 


contract.” 
8. Recital 43 of the GDPR states: 


“Consent is presumed not to be freely given... if the performance of a 
contract, including the provision of a service, is dependent on the 
consent despite such consent not being necessary for such 


performance.” 
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“Individual” is defined in Regulation 2(1) of PECR as “a living individual 


and includes an unincorporated body of such individuals”. 


A “subscriber” is defined in Regulation 2(1) of PECR as “a person who 
is a party to a contract with a provider of public electronic 


communications services for the supply of such services”. 


“Electronic mail” is defined in Regulation 2(1) of PECR as “any text, 
voice, sound or image message sent over a public electronic 
communications network which can be stored in the network or in the 
recipient’s terminal equipment until it is collected by the recipient and 


includes messages sent using a short message service”. 

Section 55A of the DPA (as amended by the Privacy and Electronic 
Communications (EC Directive) (Amendment) Regulations 2011 and 
the Privacy and Electronic Communications (Amendment) Regulations 


2015) states: 


“1) The Commissioner may serve a person with a monetary penalty 


if the Commissioner is satisfied that - 

(a) there has been a serious contravention of the requirements of the 
Privacy and Electronic Communications (EC Directive) Regulations 2003 
by the person, 

(b) subsection (2) or (3) applies. 


(2) This subsection applies if the contravention was deliberate. 


(3) This subsection applies if the person - 
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(a) knew or ought to have known that there was a risk that the 


contravention would occur, but 


(b) failed to take reasonable steps to prevent the 


contravention.” 


The Data Protection (Monetary Penalties) (Maximum Penalty and 
Notices) Regulations 2010 prescribe that the amount of any penalty 


determined by the Commissioner must not exceed £500,000. 


The Commissioner has issued statutory guidance under section 55C(1) 
of the DPA about the issuing of monetary penalties that has been 


published on her website. 


PECR implemented European legislation (Directive 2002/58/EC) aimed 
at the protection of the individual’s fundamental right to privacy in the 
electronic communications sector. PECR were amended for the purpose 
of giving effect to Directive 2009/136/EC, which amended and 
strengthened the 2002 provisions. For the purposes of this notice, as 
EU law applied at the time of the breaches of PECR, the Commissioner 


approaches PECR so as to give effect to the Directives. 


Background to the case 


AMEX is a financial services company which is well-known for providing 
a range of credit card services, including premium cards with annual 
fees. It is a wholly owned subsidiary of American Express Company, its 
US-based parent company, and was incorporated on 16 July 1984. 
AMEX’s registered office is at Belgrave House, 76 Buckingham Palace 
Road, London, SW1W 9AX. There are currently 9 active officers on 


Companies House, with 55 resigned officers. AMEX has been registered 
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with the Information Commissioner’s Office (“ICO”) since 19 June 
2006 (registration number Z9506659). 


The unsolicited marketing in question first came to the Commissioner’s 
attention after she received three complaints from AMEX customers in 
April and May 2019. Each individual had continued to receive 


marketing emails from AMEX despite opting-out from receiving them. 


The first and second complaints concerned emails containing 
promotions which linked to AMEX webpages containing offers available 
to AMEX customers. The third complaint related to an email 
encouraging the subscriber to download the AMEX app to view their 
loyalty points balance and explore the latest products and savings 


available to them. 


Two of these complainants had complained directly to AMEX before 
complaining to the Commissioner. They provided AMEX’s response to 
their complaints (dated 26 March 2019 and 9 May 2019 respectively). 
AMEX stated that, though the subscribers were opted-out from 
receiving marketing emails, the emails had not been classified as 
“marketing emails” (defined by AMEX as emails “providing customers 
with information in relation to extra products or services, or to renew 
contracts that are coming to an end”). Instead, AMEX classified the 
emails as “servicing” emails and dismissed the two complaints on this 
basis. In one of its responses, AMEX stated that, “we feel that Card 
Members would be at a disadvantage if they were not aware of these 


campaigns and promotional periods”. 


The Commissioner sent an initial investigation letter to AMEX on 3 June 
2019. This letter set out the relevant provisions of PECR, the 


Commissioner’s powers, details of the complaints, and the 
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Commissioner’s concerns. The letter requested that AMEX provide 


various pieces of information and evidence. 
AMEX requested an extension until the 4 July 2019. This was granted. 


Two further complaints were made to the Commissioner in June and 
July 2019 by individuals who had opted-out of marketing emails. The 
first of these complaints concerned marketing emails received from 
AMEX between 22 February 2019 and 25 April 2019. As with previous 
complainants, the complainant had initially contacted AMEX and 
received a response justifying the emails on the basis they were 
“servicing” rather than “marketing” in nature. AMEX’s response to the 
complaint stated that “we feel that Card Members would be at a 
disadvantage if they were not aware of these campaigns and 
promotional periods”. The second complaint concerned marketing 
emails from AMEX between November 2018 and April 2019. Again, the 
complainant initially contacted AMEX. On 1 May 2019, they received a 
response which stated “the emails you are receiving are logged as 
benefits reinforcement, rather than marketing materials. As discussed 
in our telephone call, all correspondence classed as marketing has been 


opted-out for your account”. 


AMEX responded to the Commissioner on 5 July 2019. This letter 


stated, in Summary: 


a. AMEX differentiates itself in the marketplace by offering 
benefits and rewards; the fee level chosen dictating “the level 
of the type of included benefits and rewards”. AMEX’s 
research showed that “benefits and rewards” were the key 


drivers in the selection of their products. 
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b. Its customer terms and conditions provide that AMEX will 

contact customers with product features, benefits and 

rewards. The “servicing” emails in question were “required to 

be sent based on legal and contractual requirements”. These 

emails were “reinforcement messages to ensure it is clear how 

such benefits work, to ensure Cardmembers to get value for 

money and avoid any disappointment or detriment”. Such 

“servicing” emails “do not promote cardmembers to buy 

additional products or services from Amex but outline[...] how 

to get the most of the rewards, such as iii, HE or 

Membership Rewards”. Each “servicing” email contained a 

footer stating that “You are being sent this service related 

email as it contains information about an integral benefit of 


your Card.” 


c. In response to the Commissioner’s letter, AMEX had instigated 
an independent internal review of its practices related to 
electronic communications. Whilst that review was ongoing, it 
had placed an “interim hold” on “servicing” emails sent to 


individuals who had opted-out of direct marketing emails. 


Attached to AMEX’s response was 11 distinct terms and conditions 
contained in the credit agreements for the different cards that it 
provides ("Credit Agreements”). Under the heading “Contacting 
You”, each of the Credit Agreements contain the following (emphasis 
added): 


“We may send you important messages and other communications 
(including alerts about certain activity on your account) about your 
account, card or card benefits in line with your preferences. This could 


be by email or SMS, on your statements or by posting them in the 
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online account centre, for example, we may send you an alert to 


confirm that you've updated your contact information” 


AMEX provided its ‘Cardmember Privacy Statement’, which is provided 
to UK personal cardmembers when they open an account with AMEX. 
Under the heading “Use of information”, the policy states that (original 


emphasis in bold, added emphasis underlined): 


“We use your Personal Information: (i) where it is necessary for the 
performance of a contract or compliance with a legal obligation (e.g., 
due diligence financial institutions are required to perform before 
approving card accounts); (ii) for our legitimate interests, such as to 
establish, exercise or defend legal claims, prevent fraud and/or 
enhance our products or services; or (iii) where we have obtained your 


consent, such as for marketing purposes. More specifically, we use 
your Personal Information to do the following: 


e deliver products and services, including to: 


e administer and manage your account, such as whether to 
approve individual transactions; 

e communicate with you through email, SMS or any other 
electronic methods about your accounts, products, and services 
and to update you about new features and benefits attached to 
the products or services that you requested; 

e service and manage any benefits and insurance programmes 


provided along with the products or services that you requested; 


e advertise and market products and services for the American 
Express Group of Companies and our Business Partners, 


including to: 
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e present content that is personalised in accordance with your 


preferences; 


e communicate promotions and offers to you (by mail, e-mail, 
telephone, SMS, via the internet or using other electronic means) 
in relation to products and services that may interest you or 
which are similar to your existing American Express products and 


services; ...” 


AMEX provided the Commissioner with its procedures for the sending of 
advertisements, financial promotions or other communications. These 
included its “International Email Policy - United Kingdom”, dated 
August 2018. The Commissioner notes the following elements of this 


policy in particular: 


a. Section 1 of the policy describes the PECR and how it applies 
to email marketing, and includes the statemen that “For non- 
marketing messages, no consent is required therefore 
American Express is not required to either obtain an opt-in or 
give the opportunity to opt-out of any other type of 
messages”. 


|” 


b. Section 2 is titled “Marketing Emails - General” and states 
that “Marketing emails include, but are not limited to, email 
messages with the primary purpose of acquisition, cross- 
selling, including communications provided to promote an 
American Express Product or Service”. Section 2 goes on to 
state that “American Express will generally need an 


individual’s consent before we can send marketing emails“. 
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c. Section 8 is titled “Servicing and Operational Emails”. It 


employs the following definitions: 


“Operational Emails are defined as: 
e Purely factual / operational communication with no 
content promoting products or services to recipient 
including information promoting services and/or 
benefits associated with American Express product 


held by recipient - e.g. account alerts 


Servicing Emails are defined as: 
e Communication including information promoting 
services and/or benefits associated with American 
Express product held by recipient - e.g. benefit 


awareness / reinforcement 


Marketing Emails are defined as: 
e Communication promoting products and services 


not held by recipient” 


d. Section 8 goes on to state that “Without exception all 
Marketing and Servicing emails must be reviewed by the UK 


Advertising Review Team”. 


e. The policy does not, at any stage, repeat the definition of 
“direct marketing” from section 122(5) of the DPA 2018. 


27. AMEX provided a PDF titled “Prospect Journey”, which included a 
screenshot of the initial marketing preferences page presented to a 
customer when they open an account with AMEX online. The consent 


wording reads as follows: 
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“Please tick this box to get the most out of your new American Express 
Card. We will keep you informed via email about promotions associated 
with your Card, such as Cardmember events, exclusive presales and 
offers. We will not share your email address with other companies to 
market their own products or services. The preference you make here 
will also apply to other American Express cards if they use the email 
address you have provided as part of this application. You can update 


your preferences later if you wish.” 


In the 5 July 2019 response, AMEX also provided details of its internal 
training procedures, including examples of training materials. The 
“Communications and Financial Promotions Training” for the “UK 
Advertising Review Team” materials were the only materials provided 
by AMEX which appear (at internal page 24 of the document) to refer 
to obligations relating to direct marketing. However, this reference is 
indirect and brief, and the material is largely focused on clear, fair and 
accurate marketing and compliance with requirements regulated by the 


Financial Conduct Authority and Advertising Standards Authority. 


AMEX provided a spreadsheet of all complaints received regarding 
unsolicited emails between 1 June 2018 and 31 May 2019. AMEX stated 
that, during this period, it had received “22 complaints resulting from 
the approximately forty-four million servicing communications sent to 
our RR cardmember base”; and that, in its view, a number of 
the complaints regarded the frequency, rather than content, of the 
emails. On the Commissioner's reading, most of these complaints 
appear to concern the receipt of marketing emails by customers who 


had opted-out from receiving such emails. 
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30. AMEX provided copies of all emails which it had classified as “servicing” 
emails, excluding those that were “sent in response to specific legal or 


regulatory requirements, such as fraud prevention or credit application 


assessment”. 


31. In total, AMEX provided 352 emails which had been classified as 


“servicing”, totalling 50,388,228 individual emails. 


32. Following review of these emails by the Commissioner, a total of 83 
distinct emails sent between 1 June 2018 and 31 May 2019 were 
identified as falling within scope of PECR. These emails can be grouped 


into 9 categories, which are now addressed in turn. 
ME newsletter 


33. TheM newsletter was sent to holders of AMEX MM cards. 11 
distinct emails were sent to subscribers between June 2018 and May 
2019. The =a newsletter consists of promotions for exclusive events 
bookable through the AMEX Concierge service, some of which were 
complimentary, but many of which were paid for. The footer of each of 
email stated: “All paid offers are subject to availability, booked on a 


first come first served basis and must be booked using your American 


Express EE Card® through your [i Concierge service”. 


34. In total, 297,410 of these emails were sent to subscribers who had 


opted-out from receiving direct marketing emails. 


D offers emails? 


2 A table summarising the emails is set out at paragraph 58 below. 

3 AMEX has indicated to the Commissioner that these emails concerned promotional offers 
over and above the intrinsic rewards scheme which is part of the QJ Card services it 
offers customers. 
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A key benefit of many of the cards provided by AMEX is ‘qT’. 
eerie is obtained on purchases made via the customer’s AMEX 
card, with a flat rate of [MM offered on all purchases and special 
rates on specific promotions. AMEX sent 3 distinct emails to customers 
regarding [BBM offers. For example, one of the special promotions 
offered by AMEX was that, should a customer spend £500 in D 
GE they would receive £50 J These emails were titled 
“award-winning offers just for you” and contained links to the offers 
page of the AMEX website, which would allow individuals to load an 


offer on to their card before making a purchase. 


Of the 5 complaints to the ICO referred to above, 4 concerned this 


In total, 907,656 of these emails were sent to subscribers who had 
opted-out from receiving direct marketing emails. 


‘Come back to I’ emails* 


10 distinct emails titled ‘to II” were sent to 
customers who had not used their card 


for a period of time. These emails were worded to encourage the 
customer to use their card in order to take advantage of the DE 


feature and other AMEX offers and benefits. For example, one of these 


"Remember your American Express © i. 


Credit Card? It could still help you to earn] on all your 


purchases and reconnect you with many more benefits. 


35. 
36. 
category of email. 
37. 
38. 
emails states: 
4 Tbid. 
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Have you discovered Amex Offers? You can sign up to save on 
shopping, dining and entertainment offers from big brands, direct to 


your Card.” 


In total, 36,214 of these emails were sent to subscribers who had 


opted-out from receiving direct marketing emails. 


WM card emails> 


AMEX operates a branded card, which allows 


customers to accumulate J points upon use of the card. AMEX 
sent 6 distinct emails to WE card customers. The content of these 


emails was aimed at promoting the use of the card. 


4 emails were sent on the 12 April 2019, before the Easter bank 
holiday, and were titled “going away this bank holiday? Don’t forget 


your ii Card”. For example, one of these emails 


stated the following in the body of the email: 


“Your RE American Express® Credit Card provides you with 
rewards and benefits which you can use both at home and on trips 


abroad. 


Discover below some of the great benefits your Card has to offer 


before, during and even after your trip. 


Remember, don't go abroad without it.” 


5 For sake of completeness: the [card emails were sent by AMEX alone, without the 
involvement of : 
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Two emails were sent with the internal AMEX description 
“Reactivation”. They appear to have been sent to customers who were 
not using their cards. They were titled “Bring your next holiday closer 


with your everyday spending”. The emails affirmed the benefits of 
using the J AMEX card, stating: 


“Are you getting the most from your Card? 


Your EE American Express® Credit Card is your passport 


to a more rewarding world. 


From your daily coffee purchases, streaming services, or your annual 
season ticket - whenever you use your Card, you collect Hi. 
Redeem your collected Wl for flights, hotels, or car hire, or even use 
your GM for part payment towards an unmissable experience.” 


In total, 302,409 of the [J card emails were sent to subscribers who 


had opted-out from receiving direct marketing emails. 
‘Explore’ emails 


AMEX conducted a campaign where it sent emails to customers 
regarding the use of their card in specific locations abroad (e.g. Paris). 
36 distinct emails of this kind were sent regarding different locations. 
As set out below, AMEX has confirmed that these emails were targeted 
to locations individuals had travelled to. These emails encouraged the 
customer to use the card overseas, rather than merely reminding them 
of the ability to use their card. The standard wording used was "Don’t 
explore [location] without it. From [location] to [location], live like a 
local when you visit [location]”. The emails then went on to provide a 


city guide of locations where an AMEX card could be used. 
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In total, 219,514 of these emails were sent to subscribers who had 


opted-out from receiving direct marketing emails. 
‘Card is welcome’ emails 


Consumers may be discouraged from using an AMEX card because of 
concerns that it will be less widely accepted than cards supplied by 
other providers. AMEX sent 4 distinct emails to customers regarding 
the availability of, and rewards and benefits of using, their card. These 
emails were worded in a way which encouraged the customer to make 


purchase on their card. For example, one of these emails stated: 


“From grabbing lunch to the weekly shop, your American Express® 
Card is welcomed at your favourite supermarkets. 


And what's even better, whenever you make purchases you can enjoy 
the rewards and protection that come with your Card, even when you 


buy online. 


So make sure you don’t miss out on being rewarded at places like 


these: [5 well-known supermarkets ]” 


In total, 330,361 of these emails were sent to subscribers who had 


opted-out from receiving direct marketing emails. 
‘Save your card details’ 


AMEX sent 7 distinct emails titled “save your new card details to every 


online account”. These emails were designed to encourage individuals 
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to make purchases on their cards, rather than merely reminding them 


to update details which may have expired. Each email stated: 


“Check out faster whenever you shop online at websites like 
© EE o 5279 your new Card 
details today. Don’t miss out on earning Membership Rewards® points 


on every eligible purchase that you make. 
A more rewarding way to shop online 


Get points for every pound you spend, extra points on selected 
purchases and redeem for a wide range of shopping, travel and gift 


cards.” 


In total, 10,751 of these emails were sent to subscribers who had 


opted-out from receiving direct marketing emails. 
AMEX app emails 


AMEX sent 14 distinct emails regarding the AMEX app. 11 of these 
emails provided the customer with information regarding administrative 
tasks which could be completed via the app. However, 3 of these 
emails encouraged customers to use or download the app to access 
information regarding rewards and offers. They also promoted the app 


with a view to encouraging customers to make purchases on their card. 
One of these 3 emails stated: 


“There’s a lot on offer 


Your offers are loaded, ready to be redeemed. 
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As a Cardmember, you have access to personalised offers wherever 
you are, all on the go with the Amex App - so youl never miss a 


saving while you’re out and about again. 
Visit the Offers tab to discover savings near you.” 
The remaining 2 emails both stated: 


“Rewarding your loyalty 


Watch your points increase everyday. 


Get up-to-date information on your current rewards points balance, 
explore the latest products and savings available, and earn even more 


rewards by referring friends and family. 


So whether you are earning Membership Rewards® or I) visit the 
Membership tab today to keep track of your rewards.” 


In relation to these 3 emails, 1,296,123 in total were sent to 


subscribers who had opted-out from receiving direct marketing emails. 
‘Shop Small’ emails 

AMEX runs a promotion called “Shop Small”. This is a promotional 
period available to AMEX cashback cardholders during which an 
improved rate of cashback (e.g. £5 cashback for every £10 pounds 
spent) is offered for purchases at certain “small” retailers. 


AMEX sent a series of emails regarding “Shop Small”: 


a. An initial email, informing the subscriber of the campaign; 
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b. A notification of registration to the scheme; 


c. Three reminder emails about the scheme to those who had 


signed up to it; and 


d. A thank you email to subscribers for purchasing something 


through the scheme. 
The initial email stated: 


“Shop Small celebrates the small businesses that do big things in our 
local communities, while also rewarding Cardmembers for showing 


their support for where they live. 


The offer ... incentivises Cardmembers to support their local small 
businesses by shopping small frequently, giving them a £5 statement 
credit where they have saved the Offer to a qualifying American 
Express Card and use it to make a qualifying purchase for at least £10 


at participating small businesses. 


... Cardmembers can earn a maximum of £50 back in statement credits 


during this December’s Shop Small.”. 


In total, 698,403 of the initial emails were sent to subscribers who had 


opted-out from receiving direct marketing emails. 
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Summary of direct marketing emails internally classified as “servicing” 


A summary of the direct marketing emails internally classified by AMEX 
as “servicing” sent between 1 June 2018 and 31 May 2019 is provided 


in the table below, sorted by subject matter. 


Subject Distinct emails Total sent | Total sent to 
matter involving direct opt-out 

marketing 

11 660,859 297,410 
newsletter 

3 1,872,260 | 907,656 
offers 
‘Come back to | 10 76,893 36,214 
Wl Card 6 633,520 302,409 
‘Explore’ 36 375,955 219,514 
‘Card is 4 464,876 330,361 
welcome’ 
‘Save your 7 22,965 10,751 
card details’ 
AMEX app 3 2,704,536 | 1,296,123 
‘Shop Small’ 1 727,820 698,403 
Total 83 7,539,684 | 4,098,841 


Following analysis of the emails provided by AMEX, the Commissioner 


sent a further request on 26 July 2019 requesting (a) volumes of 


receipts for the emails sent to customers who had opted-out of direct 


marketing emails in the period between 1 June 2018 and 31 May 2019 


(i.e. how many emails were successfully delivered), and (b) a 


screenshot of users’ marketing preferences page. 


AMEX responded on 2 August 2019. It confirmed that it does not 


capture receipt information, so was unable to comply with the first part 
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of the Commissioner’s request. However, it was able to provide a 


screenshot of the customer marketing preferences page. The consent 


wording reads as follows: 


“How may we contact you with promotions on getting the most out of 
your American Express Card, such as Cardmember events, exclusive 
presales and offers? We will not share your email address with other 


companies to market their own products or services: 
Email [yes/no] ...” 


All the above “servicing” emails were sent to subscribers who had 
either (a) decided not to opt-in to promotional email on the initial 
marketing preferences page (set out at paragraph 27 above) at the 
time of opening their account, or (b) afterwards checked “no” in the 
“email” box in the marketing preferences page set out in the paragraph 
immediately above. 


The Commissioner sent a further request for information to AMEX on 
20 August 2019 for clarifications on the information it had previously 
provided. AMEX responded on 9 September 2019. In summary, AMEX 


explained: 


a. The procedure via which communications are sent. Marketing, 
operational and product teams within AMEX work together to 
produce the content across all communication channels and 
classify emails they have drafted as either “marketing” or 
“servicing” messages. Only those classed as “marketing” are 
scrubbed against the global marketing suppression list. All 
emails are then subject to a review and approval process from 


relevant stakeholders, including AMEX’s compliance 
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department. The emails are then sent by third party vendors 


with whom contracts are held. 


b. The proportion of customers opted-out from marketing 


communications. 
N =- o 


these customers had opted-in to receive marketing. 49.8% 


had either opted-out or not opted-in. 


c. The “Credit and Charge Card Agreements” for each type of 
card, which cardholders must sign before accessing AMEX 
services, were drafted by the in-house AMEX legal team, with 


advice from external counsel. 


d. The “come back to ME emails were sent to 
En Card customers who had had no spend or 


balance for three consecutive months. AMEX said that the 
emails were sent as a “reinforcement message to ensure 


these Cardmembers are getting the most from their product”. 


e. The ‘Explore ...’ emails were “triggered upon the first physical 
transaction in the city that the email refers to”. AMEX justified 
the sending of these emails on the basis that these messages 
constituted “servicing” communications which were intended 
to “raise awareness of card coverage”, noting that “our 
customers will not purchase products from American Express 


unless they find value in doing so.” 


63. An end of investigation letter was sent to AMEX on 10 October 2019. 
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In conclusion, the Commissioner is satisfied that, between 1 June 2018 


and 31 May 2019, AMEX transmitted 4,098,841 marketing emails to 


subscribers who had opted-out to receiving marketing emails. 


The Commissioner has made the above findings of fact on the 


balance of probabilities. 


The Commissioner has considered whether those facts constitute 
a contravention of Regulation 22 of PECR by AMEX and, if so, whether 


the conditions of section 55A DPA are satisfied. 

The contravention 

The Commissioner finds that AMEX contravened Regulation 22 of PECR. 
The Commissioner finds that the contravention was as follows: 


Between 1 June 2018 and 31 May 2019 there were 4,098,841 direct 
marketing emails received by subscribers. The Commissioner is 
satisfied that these emails constituted “direct marketing” as defined by 
section 122(5) of the DPA 2018 because each of the emails encouraged 
customers to use their AMEX credit cards to make purchases. One 
category of emails (the AMEX app emails) also encouraged customers 


to download and/or use the AMEX app. 


AMEX internally classified the emails in question as “servicing” rather 
than “marketing”. However, the fact that the emails engaged in 
advertising and marketing can be seen from their content. None of the 
emails in question were neutrally worded and purely administrative in 
nature. Instead, each email sought to encourage the customer to make 


purchases on their AMEX card (and, in the case of the AMEX app 
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emails, also to make use of this product). In relation to specific 


categories of emails: 


a. The [J newsletter emails encouraged customers to book 


tickets for exclusive events, many of which were paid for. 


b. The EE offers emails encouraged customers to make 
purchases on their cards which qualified for special PE 
offers. 


c. The “come back to emails encouraged customers to 
make purchases on their i cards, 
where they had not used those cards for a period of time, by 
highlighting the ME feature of the card, as well as other 
AMEX offers and benefits. 


d. The I card emails encouraged customers to make purchases 
on their card by highlighting the rewards and benefits 
resulting from such purchases, including the benefits of 
accruing J points. Two of these emails sought to 
encourage customers not using the card to start making 


purchases on it. 


e. The “explore ...” emails encouraged individuals to make 
purchases on their cards when travelling abroad (rather than 
merely reminding them of their ability to use the card), in 
particular by providing a city guide of locations where the card 


could be used. 


f. The “card is welcome” emails encouraged customers to make 
purchases on their cards, not only seeking to allay doubts 


about the availability of the card, but also by highlighting the 
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benefits and rewards that would result from making such 


purchases. 


. The “save your card details” emails encouraged customers to 


make purchases on their cards (rather than merely reminding 
them to update details which may have expired) by 


highlighting the rewards resulting from purchases. 


. Of the 11 AMEX app emails, 3 prompted customers to 


download and/or use the app to access information regarding 
their eligibility for rewards and offers, including personalised 
offers. Two of these emails sought to encourage uptake of the 
app by promising rewards if customers referred family and 
friends. As well as promoting the app in its own right, these 
emails promoted the app with a view to encouraging 
customers to make purchases on their cards. 


The initial “Shop Small” emails encouraged customers to make 


|” 


purchases on their cards at select “small” retailers by 
communicating the existence of [MJ offers on such 


purchases. 


In any event, AMEX’s “International Email Policy - United Kingdom” 
indicates that “servicing” emails involve advertising and marketing 
content. The policy defines such emails as “Communication including 
information promoting services and/or benefits associated with 
American Express product held by recipient” (emphasis added). This 
definition can be contrasted with the definition of “operational” emails: 


“Purely factual / operational communication with no content promoting 
products or services to recipient including information promoting 
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services and/or benefits associated with American Express product held 


by recipient” (emphasis added). 


Furthermore, in letters responding to customer complaints, AMEX 
stated that “we feel that Card Members would be at a disadvantage if 
they were not aware of these campaigns and promotional periods”. 
AMEX accepted here that “servicing” emails include advertising or 


marketing material. 


The Commissioner finds that AMEX transmitted or instigated the 
transmission of the direct marketing messages sent, contrary to 
Regulation 22 of PECR. 


AMEX, as the transmitter or instigator of the direct marketing, is 
required to ensure that it is acting in compliance with the requirements 
of Regulation 22 of PECR, and to ensure that valid consent to send 


those messages had been acquired. 


The 4,098,841 emails in question were sent to subscribers who had 
opted-out from receiving direct marketing communications by email. 
This is not disputed by AMEX. 


AMEX states that the emails in question were “required to be sent 
based on legal and contractual requirements” arising from its Credit 
Agreements with customers. The Commissioner has rejected this 


suggestion for the following reasons. 


a. The “legal and contractual requirements” referred to by AMEX 
cannot override the statutory protection afforded by PECR 
Regulation 22 to explicit opt-out decisions made by 


customers. 
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b. The “legal and contractual requirements” referred to by AMEX 

are worded in a way which is sensitive to the customer’s 

marketing preferences. In particular, the Credit Agreements 

state that AMEX “may send you important messages and 

other communications ... about your account, card or card 

benefits in line with your preferences” (emphasis added). 

Further, AMEX’s privacy statement provides that “We use your 

Personal Information ... (iii) where we have obtained your 

consent, such as for marketing purposes” (emphasis added). 


c. Considered alone, the “legal and contractual requirements” 
referred to by AMEX do not satisfy the requirement for valid 


consent. In particular: 


i. Consent to receive direct marketing emails is not “freely 
given” where it is a condition of receiving AMEX’s 
services in circumstances where such consent is not 
necessary for contractual performance by AMEX. 


ii. Nor is consent “freely given” where customers are 
unable to withdraw it in the future. The ability of 
individuals to withdraw consent is explicitly recognised 
at Regulation 22(2) of PECR, which refers to a person 
“consent[ing] for the time being” (emphasis added). 


iii. Consent is not “informed” where the “legal and 
contractual requirements” relied on by AMEX are not set 
out prominently and separated from other terms and 
conditions, but are contained within overall terms and 


conditions. 
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The Commissioner is therefore satisfied from the evidence she has 


seen that AMEX did not have the necessary valid consent for the 


4,098,841 direct marketing messages received by subscribers. 


AMEX has stated that customers would be “at a disadvantage if they 
were not aware of the campaigns and promotional periods”. There is no 
exemption under PECR Regulation 22 which allows organisations to 
send marketing emails they consider advantageous for subscribers 
where they have not received prior consent to do so. If there were, 
such an exemption would likely be relied on by all persons in breach of 


the PECR direct marketing rules. 


The Commissioner has gone on to consider whether the conditions 
under section 55A DPA (as extended and modified by PECR) are met. 


Seriousness of the contravention 


The Commissioner is satisfied that the contravention identified 

above was serious. This is because, between a 12-month period from 1 
June 2018 to 31 May 2019, a confirmed total of 4,098,841 direct 
marketing messages were sent by, or at the instigation of, of AMEX. 
These messages contained direct marketing material for which 


subscribers had not provided adequate consent. 


The Commissioner is therefore satisfied that condition (a) from 
section 55A(1) DPA (as extended and modified by PECR) is met. i 


Deliberate or negligent contraventions 
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The Commissioner does not consider that AMEX deliberately set out to 


contravene PECR in this instance. 


The Commissioner has gone on to consider whether the contravention 
identified above was negligent. This consideration comprises two 


elements: 


First, she has considered whether AMEX knew or ought reasonably to 
have known that there was a risk that these contraventions would 
occur. She is satisfied that this condition is met for the following 


reasons: 


a. During the period in question, AMEX sent a large number of 
direct marketing emails internally classified as “servicing” 
(7,539,684 in total). It is clear that direct marketing 
constitutes an important part of AMEX’s business. More 
generally, AMEX is one part of a large multinational company 
and provides services for a large number of customers 
es shou 
therefore have sought to ensure its marketing operations 


complied with the relevant statutory regime. 


b. AMEX had internal procedures to ensure that marketing 
communications were sent in accordance with PECR. In 
particular, its “International Email Policy - United Kingdom” 
explicitly referred to PECR and attempted to provide an 
overview of the requirements imposed by it. AMEX also 
provided internal training for its employees on legal and 
regulatory requirements governing the sending of marketing 


communications. 
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c. Both AMEX’s definition of “servicing” emails, and its letters 
responding to customers complaints, indicate AMEX was 


aware that such emails contained advertising and marketing 


content. 


d. During the period of the contravention (1 June 2018 and 31 
May 2019), AMEX received 22 complaints regarding its 


“servicing” communications. 


e. AMEX has been registered with the ICO since 19 June 2006. 
The Commissioner has published detailed guidance for those 
carrying out direct marketing explaining their legal obligations 
under PECR. This guidance gives clear advice regarding the 
requirements of consent for direct marketing and explains the 
circumstances under which organisations are able to carry out 
marketing over the phone, by text, by email, by post, or by 
fax. In particular it states that organisations can generally 
only send, or instigate, marketing emails to individuals if that 
person has specifically consented to receiving them; and 
highlights the difficulties of relying on indirect consent for 
email marketing. In case organisations remain unclear on 
their obligations, the ICO operates a telephone helpline. ICO 
communications about previous enforcement action where 
businesses have not complied with PECR are also readily 


available. 


It is therefore reasonable to suppose that AMEX should have been 


aware of its responsibilities in this area. 


Secondly, the Commissioner has gone on to consider whether AMEX 
failed to take reasonable steps to prevent the contraventions. Again, 


she is satisfied that this condition is met. 
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Reasonable steps in these circumstances may, in particular, have 


included a combination of the following: 


a. Ensuring that its internal procedures were compliant with 
PECR. In particular, AMEX could have ensured that its 
“International Email Policy - United Kingdom” contained 
consideration of how “direct marketing” is defined for the 
purposes of PECR and how this applied to emails AMEX had 


internally classified at “servicing”. 


b. Consulting ICO guidance and/or the ICO telephone helpline to 


ensure its marketing policy was compliant with PECR. 


c. Meaningfully reviewing its approach to marketing following the 
receipt of 22 complaints regarding internally classified 


“servicing” emails. 


In the circumstances, the Commissioner is satisfied that AMEX failed to 


take reasonable steps to prevent the contraventions. 


The Commissioner is therefore satisfied that condition (b) from section 


55A(1) DPA (as extended and modified by PECR) is met. 


The Commissioner's decision to issue a monetary penalty 


The Commissioner has taken into account the following 


aggravating features of this case: 


e As set out above, the breach was negligent. 
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e There has been deliberate action for financial or personal gain. 
The emails in question were all designed to encourage 


customers to make purchases on their cards, which would 
benefit AMEX financially. 


e Advice or guidance has been ignored or not acted upon. 
Guidance on Direct Marketing and in particular, the sending of 
marketing emails is available on the ICO website. The ICO 
Helpline is also available for organisations who may require 


clarity in their practices. 


e AMEX failed to review its marketing model in light of complaints 


raised by various individuals. 


91. The Commissioner has also taken into account the following mitigating 
factors: 

e When the Commissioner began her investigation, AMEX 
commenced its own independent internal review and 
stopped marketing to customers who had opt-out of 
receiving direct marketing communications by email. AMEX 
has notified the Commissioner that the independent 
internal review concluded in December 2019 and that 
AMEX has made several changes to its processes and 
procedures to ensure compliance with PECR. AMEX has also 
confirmed to the Commissioner that it will continue to 
assess the changes made as a result of the internal review 


to ensure ongoing compliance. 


92. For the reasons explained above, the Commissioner is satisfied that the 


conditions from section 55A(1) DPA have been met in this case. She is 
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also satisfied that the procedural rights under section 55B have been 


complied with. 


The latter has included the issuing of a Notice of Intent (dated 18 
February 2021), in which the Commissioner set out her preliminary 


thinking. 


In reaching her final view, the Commissioner considered 


representations received by AMEX on 17 March 2021. 


Within those representations, AMEX did not seek to challenge the 
Commissioner’s intention to impose a monetary penalty of £90,000. As 
AMEX did not advance any new factors in its representations, the 
Commissioner did not alter her position as set out in the Notice of 
Intent. 


The Commissioner is accordingly entitled to issue a monetary penalty 


in this case. 


The Commissioner has considered whether, in the circumstances, she 


should exercise her discretion so as to issue a monetary penalty. 


The Commissioner has endeavoured to consider the likely impact of a 
monetary penalty on AMEX. In the Notice of Intent, the Commissioner 
set out her preliminary conclusion that AMEX has access to sufficient 
financial resources to pay the proposed monetary penalty without 
causing undue financial hardship; and that this preliminary conclusion 
was unaltered by the effects of the current Covid-19 pandemic. AMEX 
has not provided any information in response to the Notice of Intent 


which has caused the Commissioner to alter her position. 
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The Commissioner’s underlying objective in imposing a monetary 
penalty notice is to promote compliance with PECR. The sending of 
unsolicited marketing emails is a matter of significant public concern. A 
monetary penalty in this case should act as a general encouragement 
towards compliance with the law, or at least as a deterrent against 
non-compliance, on the part of all persons running businesses currently 
engaging in these practices. The issuing of a monetary penalty will 
reinforce the need for businesses to ensure that they are only 


messaging those who specifically consent to receive marketing. 


Overall, the Commissioner considers that a monetary penalty is a 
proportionate and appropriate response to the finding of a serious 


contravention by AMEX. 


The amount of the penalty 


Taking into account all of the above, the Commissioner has decided 
that a penalty in the sum of £90,000 (Ninety thousand pounds) is 
reasonable and proportionate given the particular facts of the case and 


the underlying objective in imposing the penalty. 
Conclusion 


The monetary penalty must be paid to the Commissioner’s office by 
BACS transfer or cheque by 17 June 2021 at the latest. The monetary 
penalty is not kept by the Commissioner but will be paid into the 
Consolidated Fund which is the Government’s general bank account at 
the Bank of England. 


If the Commissioner receives full payment of the monetary penalty by 


16 June 2021 the Commissioner will reduce the monetary penalty by 
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20% to £72,000 (Seventy-two thousand pounds). However, AMEX 


should be aware that the early payment discount is not available if it 


decides to exercise its right of appeal. 


There is a right of appeal to the First-tier Tribunal (Information Rights) 


against: 


a) the imposition of the monetary penalty 


and/or; 
b) the amount of the penalty specified in the monetary penalty 
notice. 


Any notice of appeal should be received by the Tribunal within 28 days 


of the date of this monetary penalty notice. 


Information about appeals is set out in Annex 1. 


The Commissioner will not take action to enforce a monetary penalty 


unless: 


e the period specified within the notice within which a monetary 
penalty must be paid has expired and all or any of the 


monetary penalty has not been paid; 
e all relevant appeals against the monetary penalty notice and 
any variation of it have either been decided or withdrawn; and 


e the period for appealing against the monetary penalty and any 


variation of it has expired. 


108. In England, Wales and Northern Ireland, the monetary penalty is 


recoverable by Order of the County Court or the High Court. In 
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Scotland, the monetary penalty can be enforced in the same manner 


as an extract registered decree arbitral bearing a warrant for execution 


issued by the sheriff court of any sheriffdom in Scotland. 


Dated the 17" day of May 2021 


Andy Curry 

Head of Investigations 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 


SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


1. Section 48 of the Data Protection Act 1998 gives any person upon 
whom a monetary penalty notice or variation notice has been served a right 
of appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) 
against the notice. 


2. If you decide to appeal and if the Tribunal considers: - 


a) that the notice against which the appeal is brought is not in accordance 
with the law; or 


b) tothe extent that the notice involved an exercise of discretion by the 
Commissioner, that she ought to have exercised her discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as could 
have been made by the Commissioner. In any other case the Tribunal will 
dismiss the appeal. 


3. You may bring an appeal by serving a notice of appeal on the Tribunal 
at the following address: 


GRC & GRP Tribunals 
PO Box 9300 
Arnhem House 

31 Waterloo Way 
Leicester 

LE1 8DJ 


a) The notice of appeal should be sent so it is received by the Tribunal 
within 28 days of the date of the notice. 


b) If your notice of appeal is late the Tribunal will not admit it unless the 
Tribunal has extended the time for complying with this rule. 
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4. The notice of appeal should state: - 


a) your name and address/name and address of your representative (if 
any); 


b) an address where documents may be sent or delivered to you; 
c) the name and address of the Information Commissioner; 

d) details of the decision to which the proceedings relate; 

e) the result that you are seeking; 

f) the grounds on which you rely; 


g) you must provide with the notice of appeal a copy of the monetary 
penalty notice or variation notice; 


h) if you have exceeded the time limit mentioned above the notice of 
appeal must include a request for an extension of time and the reason why 
the notice of appeal was not provided in time. 


5. Before deciding whether or not to appeal you may wish to consult your 
solicitor or another adviser. At the hearing of an appeal a party may conduct 
his case himself or may be represented by any person whom he may 
appoint for that purpose. 


6. The statutory provisions concerning appeals to the First-tier Tribunal 
(Information Rights) are contained in sections 48 and 49 of, and Schedule 6 
to, the Data Protection Act 1998, and Tribunal Procedure (First-tier Tribunal) 
(General Regulatory Chamber) Rules 2009 (Statutory Instrument 2009 No. 
1976 (L.20)). 
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